LAN clients get connection denied by Apache

[rhonneil]

Hi Gurus out there could you pls help me with my problem. Iam running a newly installed Apache-2.x on my RH9.0 Server. My problem was everytime my LAN client want to access my Apache they are being refused to make connections. But when I turn off my firewall clients can freely access webpages.

#telnet 192.168.0.1 80
Trying 192.168.0.1...
telnet: connect to address 192.168.0.1: Connection refused

Im quite sure the problem was with my firewall rule. Could anyone pls help me what rule should allow my LAN to access my apache server?

My other services like Squid Proxy, Ftp and other services are running ok and my clients can freely access those services without any problem. Also, I use this as Gateway to my LAN.

My Apache IP: 192.168.0.1 ----eth1

Here's some part of my firewall script:


IPADDR=`ifconfig eth0 | fgrep -i inet | cut -d : -f 2 | cut -d " " -f 1`
IPADDR2=`ifconfig eth0 | fgrep -i inet | cut -d : -f 2 | cut -d " " -f 1`

EXTERNAL_INTERFACE="eth0"
LOOPBACK_INTERFACE="lo"
LOCAL_INTERFACE_1="eth1" # Internal LAN interface
INTRANET="192.168.0.0/16" # Private IP Addr Range
PRIMARY_NAMESERVER="203.x.x.3"
SECONDARY_NAMESERVER="203.x.x.4"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:"

SSH_LOCAL_PORTS="1022:65535"
SSH_REMOTE_PORTS="513:65535"

TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"

iptables -F
iptables -F -t nat
iptables -X

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

# Unlimited traffic within the local network.
iptables -A INPUT -i $LOCAL_INTERFACE_1 -s $INTRANET -j ACCEPT
iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -d $INTRANET -j ACCEPT

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -i $LOCAL_INTERFACE_1 -s ! $INTRANET -j DROP

# Allow all internal packets out of our network.
iptables -A FORWARD -m state --state NEW,ESTABLISHED \
-i $LOCAL_INTERFACE_1 -s $INTRANET -j ACCEPT

# Allow the associated packets with those connections back in.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
-i $EXTERNAL_INTERFACE -s ! $INTRANET -j ACCEPT

iptables -A POSTROUTING -t nat -o $EXTERNAL_INTERFACE -j MASQUERADE

iptables -A FORWARD -i $EXTERNAL_INTERFACE -m state \
--state NEW,INVALID -j REJECT


# ------------------------------------------------------------------
# HTTP client (80)
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 80 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 80 -j ACCEPT

iptables -A INPUT -i $LOCAL_INTERFACE -p tcp ! --syn \
--source-port 80 \
-d $IPADDR2 --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $LOCAL_INTERFACE -p tcp \
-s $IPADDR2 --source-port $UNPRIVPORTS \
--destination-port 80 -j ACCEPT

# ------------------------------------------------------------------
# HTTPS client (443)
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 443 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 443 -j ACCEPT

# ------------------------------------------------------------------
# WWW-CACHE client
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 3128 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 3128 -j ACCEPT

# ------------------------------------------------------------------
# TRANSPARENT PROXY client
# ------------------------------------------------------------------

iptables -t nat -A PREROUTING -i $LOCAL_INTERFACE_1 -p tcp \
--destination-port 80 -j REDIRECT --to-port 3128

Any suggestions? Pls help.

rhonneil

[Kernel_Killer]

Why are you telnetting to port 80? If http was to return a shell it would probably work. If you really want to use telnet, open port 23, and setup a telnet service.

[rhonneil]

[quote author=Master Copy link=board=4;threadid=8072;start=0#msg73452 date=1068089440]
Why are you telnetting to port 80? If http was to return a shell it would probably work. If you really want to use telnet, open port 23, and setup a telnet service.
[/quote]

Hi!

Yes, indeed my http service is running. In fact, I can access webpages when http is running without a firewall. However, it's the other way around, when my firewall is running I can't access my apache webpages.

I tried to modify this entry:
------------------------------------------------------------------
# TRANSPARENT PROXY client
# ------------------------------------------------------------------

iptables -t nat -A PREROUTING -i $LOCAL_INTERFACE_1 -p tcp \
--destination-port 80 -j REDIRECT --to-port 3128

and change port 80 to 8080. And now, I can access webpages on my apache using ONLY IP address [192.168.0.1] typed-in in the web address bar. But not netbios name [www.mydomain.com] and also when using my external IP [203.x.x.1]. Though these entries have been defined on my DNS Records. And are working without a problem.

Here's my firewall rule:

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 80 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 80 -j ACCEPT

iptables -A INPUT -i $LOCAL_INTERFACE -p tcp ! --syn \
--source-port 80 \
-d $IPADDR2 --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $LOCAL_INTERFACE -p tcp \
-s $IPADDR2 --source-port $UNPRIVPORTS \
--destination-port 80 -j ACCEPT

WHERE MY:

IPADDR=`ifconfig eth0 | fgrep -i inet | cut -d : -f 2 | cut -d " " -f 1`
IPADDR2=`ifconfig eth1 | fgrep -i inet | cut -d : -f 2 | cut -d " " -f 1`

EXTERNAL_INTERFACE="eth0"
LOOPBACK_INTERFACE="lo"
LOCAL_INTERFACE_1="eth1" # Internal LAN interface
INTRANET="192.168.0.0/16" # Private IP Addr Range
PRIMARY_NAMESERVER="203.x.x.3"
SECONDARY_NAMESERVER="203.x.x.4"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:"

I just used telnet from my client to check whether http is rejected my request to access port 80.

Thank you very much for your time. I really appreciate your help.

rhonneil

[Kernel_Killer]

Sorry about that. I see where you are going with it now. The telnet threw me off.

Have you updated your /etc/hosts, and /etc/host.allow files? Just add a

192.168.0.1 myhost myhost.mydomain.com

to rid yourself of having to enter the IP.

Have you seen what tcpdump spits out on the packets trying to come in, or checked the firewall log?

iptables -A INPUT -i $LOCAL_INTERFACE -p tcp ! --syn \
--source-port 80 \
-d $IPADDR2 --destination-port $UNPRIVPORTS -j ACCEPT

Have you tried using an "any" function to see if this is where it's holding it back?

On the source ports for some, aren't you going through squid? Is it trying to go through 3128?

[rhonneil]

[quote author=Master Copy link=board=4;threadid=8072;start=0#msg73454 date=1068094696]
Sorry about that. I see where you are going with it now. The telnet threw me off.

Have you updated your /etc/hosts, and /etc/host.allow files? Just add a

192.168.0.1 myhost myhost.mydomain.com

to rid yourself of having to enter the IP.
[/quote]

Yes, I already have included this in my /etc/hosts
I don't have /etc/host.allow file, I removed it. All access/permission are provided by my iptables.

Have you seen what tcpdump spits out on the packets trying to come in, or checked the firewall log?

Yes, packets are trying to come in. But not successful

iptables -A INPUT -i $LOCAL_INTERFACE -p tcp ! --syn \
--source-port 80 \
-d $IPADDR2 --destination-port $UNPRIVPORTS -j ACCEPT

Have you tried using an "any" function to see if this is where it's holding it back?

I have commented out this entries and there's was no effect so I now removed it.

I was just added this entries and was trying what could be it's effect. Thanks for the comment.

On the source ports for some, aren't you going through squid? Is it trying to go through 3128?

I am using transparent proxy for my squid to speed up access to web pages at port 3128. And was not configured to act as proxy-forward not at this moment. If this is what you mean to say.

Now, my problem was my apache can't be accessed via web with a firewall running. Shutting the firewall however, provides access to my webpages.

What could be wrong with this firewall entries:

# ------------------------------------------------------------------
# HTTP client (80)
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 80 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 80 -j ACCEPT

# ------------------------------------------------------------------
# HTTPS client (443)
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 443 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 443 -j ACCEPT

# ------------------------------------------------------------------
# WWW-CACHE client
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 3128 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 3128 -j ACCEPT

# ------------------------------------------------------------------
# TRANSPARENT PROXY client
# ------------------------------------------------------------------

iptables -t nat -A PREROUTING -i $LOCAL_INTERFACE_1 -p tcp \
--destination-port 8080 -j REDIRECT --to-port 3128


Thanks for you help

rhonneil

[Kernel_Killer]

So you can't get to the server at all from outside? Is that what you are saying? I'm sorry for all the questions, just throwing some stuff out that might shed some light on both of us.

From what I've collected, you can access from the internal private network. correct?

Please excuse my rusty iptable knowledge. Doesn't the "! --syn" disallow a syn flag? Have you tried passing SYN and ACK to that port from $EXTERNAL to the server?

Just some last minute ideas. I'll read it more carefully tomorrow when I'm awake. ;D

[rhonneil]

[quote author=Master Copy link=board=4;threadid=8072;start=0#msg73463 date=1068102856]
So you can't get to the server at all from outside? Is that what you are saying? I'm sorry for all the questions, just throwing some stuff out that might shed some light on both of us. [/quote]

Yes, I can't gen into my apache server despite iptable rules I set.

From what I've collected, you can access from the internal private network. correct?

Yes you're right. Even when my firewall is running.

Please excuse my rusty iptable knowledge. Doesn't the "! --syn" disallow a syn flag? Have you tried passing SYN and ACK to that port from $EXTERNAL to the server? #

Yes you're right ! --syn dissallow a syn flag.

Also, my FTP service can pass successfully using syn and ack to my server using $EXTERNAL_INTERFACE, iptable entry as follows:

------------------------------------------------------------------
# FTP client (21)
# ------------------------------------------------------------------
#
# Outgoing request

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 21 -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 21 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

# PORT mode data channel

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port 20 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 20 -j ACCEPT

thanks a million,

rhonneil

[rhonneil]

Also, I made the following rule which allows my LAN to access my apache using NAME address [www.mycompany.com]. Previously I can only open my apache when using IP address.

iptables -A INPUT -i $LOCAL_INTERFACE_1 -p tcp --destination-port 80 -j ACCEPT
iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -p tcp --source-port 80 --destination-port $UNPRIVPORTS -j ACCEPT

Now, my remaining problem is that whenever I access my webpages from the internet I get refused connection.
Pls see my firewall rule, hope you could make recommendations.

# ------------------------------------------------------------------
# HTTP client (80)
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn
--source-port 80
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp
-s $IPADDR --source-port $UNPRIVPORTS
--destination-port 80 -j ACCEPT

# ------------------------------------------------------------------
# HTTPS client (443)
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn
--source-port 443
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp
-s $IPADDR --source-port $UNPRIVPORTS
--destination-port 443 -j ACCEPT

# ------------------------------------------------------------------
# WWW-CACHE client
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn
--source-port 3128
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp
-s $IPADDR --source-port $UNPRIVPORTS
--destination-port 3128 -j ACCEPT

Thanks a million for your help.

rhonneil

[vvx]

[quote author=rhonneil link=board=4;threadid=8072;start=0#msg73450 date=1068088118]
Hi Gurus out there could you pls help me with my problem. Iam running a newly installed Apache-2.x on my RH9.0 Server. My problem was everytime my LAN client want to access my Apache they are being refused to make connections. But when I turn off my firewall clients can freely access webpages.
[/quote]

Alright, analyzing a little bit section by section

#telnet 192.168.0.1 80
Trying 192.168.0.1...
telnet: connect to address 192.168.0.1: Connection refused

Im quite sure the problem was with my firewall rule. Could anyone pls help me what rule should allow my LAN to access my apache server?

My other services like Squid Proxy, Ftp and other services are running ok and my clients can freely access those services without any problem. Also, I use this as Gateway to my LAN.

My Apache IP: 192.168.0.1 ----eth1

Here's some part of my firewall script:

Firewall script starts below.

IPADDR=`ifconfig eth0 | fgrep -i inet | cut -d : -f 2 | cut -d " " -f 1`
IPADDR2=`ifconfig eth0 | fgrep -i inet | cut -d : -f 2 | cut -d " " -f 1`

I guess you musta modified someone else's script or something.. otherwise why have two variables for the same IP?

EXTERNAL_INTERFACE="eth0"
LOOPBACK_INTERFACE="lo"
LOCAL_INTERFACE_1="eth1" # Internal LAN interface
INTRANET="192.168.0.0/16" # Private IP Addr Range
PRIMARY_NAMESERVER="203.x.x.3"
SECONDARY_NAMESERVER="203.x.x.4"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:"

SSH_LOCAL_PORTS="1022:65535"
SSH_REMOTE_PORTS="513:65535"

TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"

Bunch of variables set

iptables -F
iptables -F -t nat
iptables -X

Flushing iptables

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Default policy is drop for everything.

iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

All traffic coming from the interface "lo" is accepted, as is all traffic destined for it.

# Unlimited traffic within the local network.
iptables -A INPUT -i $LOCAL_INTERFACE_1 -s $INTRANET -j ACCEPT
iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -d $INTRANET -j ACCEPT

All traffic coming from/going to 192.168.0.0/16 is accepted

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

All remaining TCP packets on the input chain are dropped.

Er, what? That can't be good if you want to a server, the packets destined for it are dropped right here. Atleast, I'm pretty sure that's what you just did with that rule. Remember, the first rule that matches a packet is the one used.

iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -i $LOCAL_INTERFACE_1 -s ! $INTRANET -j DROP

# Allow all internal packets out of our network.
iptables -A FORWARD -m state --state NEW,ESTABLISHED \
-i $LOCAL_INTERFACE_1 -s $INTRANET -j ACCEPT

# Allow the associated packets with those connections back in.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
-i $EXTERNAL_INTERFACE -s ! $INTRANET -j ACCEPT

iptables -A POSTROUTING -t nat -o $EXTERNAL_INTERFACE -j MASQUERADE

iptables -A FORWARD -i $EXTERNAL_INTERFACE -m state \
--state NEW,INVALID -j REJECT


# ------------------------------------------------------------------
# HTTP client (80)
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 80 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 80 -j ACCEPT

iptables -A INPUT -i $LOCAL_INTERFACE -p tcp ! --syn \
--source-port 80 \
-d $IPADDR2 --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $LOCAL_INTERFACE -p tcp \
-s $IPADDR2 --source-port $UNPRIVPORTS \
--destination-port 80 -j ACCEPT

# ------------------------------------------------------------------
# HTTPS client (443)
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 443 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 443 -j ACCEPT

# ------------------------------------------------------------------
# WWW-CACHE client
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 3128 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 3128 -j ACCEPT

# ------------------------------------------------------------------
# TRANSPARENT PROXY client
# ------------------------------------------------------------------

iptables -t nat -A PREROUTING -i $LOCAL_INTERFACE_1 -p tcp \
--destination-port 80 -j REDIRECT --to-port 3128

Any suggestions? Pls help.

rhonneil

[vvx]

[quote author=Master Copy link=board=4;threadid=8072;start=0#msg73463 date=1068102856]
So you can't get to the server at all from outside? Is that what you are saying? I'm sorry for all the questions, just throwing some stuff out that might shed some light on both of us.

From what I've collected, you can access from the internal private network. correct?

Please excuse my rusty iptable knowledge. Doesn't the "! --syn" disallow a syn flag? Have you tried passing SYN and ACK to that port from $EXTERNAL to the server?

Just some last minute ideas. I'll read it more carefully tomorrow when I'm awake. ;D

[/quote]

Yeah, that was confusing me, "LAN clients" I would take to mean the internal network but if that can connect okay even when firewall is running it's gotta be the external stuff he's having probs with?